Ancestors

Written by Zbigniew Jędrzejewski-Szmek on 2024-02-07 at 14:26

Excellent FOSDEM talk about Nix and vendoring in software projects by @delroth: https://fosdem.org/2024/schedule/event/fosdem-2024-1983-remediating-thousands-of-untracked-security-vulnerabilities-in-nixpkgs/

=> More informations about this toot | More toots from zbyszek@fosstodon.org

Toot

Written by Zbigniew Jędrzejewski-Szmek on 2024-02-07 at 14:31

@delroth: for the question of dealing with lock files in rust crates: just ignore them.

This is what Fedora is doing. It's more work upfront, but it makes avoids the vendor-lock-hell.

=> More informations about this toot | More toots from zbyszek@fosstodon.org

Descendants

Written by Pierre Bourdon on 2024-02-07 at 14:40

@zbyszek unfortunately that only solves half of the problem, since Cargo.toml itself usually locks direct dependencies to specific versions too...

Would be interesting to see how much this changes the data though, assuming only the version locking from Cargo.toml is kept and not the deps-of-deps locking.

=> More informations about this toot | More toots from delroth@delroth.net

Written by Pierre Bourdon on 2024-02-07 at 14:41

@zbyszek and while I guess you could also ignore Cargo.toml version locks, that would cause so much breakage that I think it would make packaging anything remotely complex basically impossible. But maybe Fedora has tried that and had success?

=> More informations about this toot | More toots from delroth@delroth.net

Written by Morten Linderud on 2024-02-07 at 15:15

@delroth @zbyszek

We do this with the python ecosystem in Arch, and it works surprisingly well actually.

=> More informations about this toot | More toots from Foxboron@chaos.social

Written by Pierre Bourdon on 2024-02-07 at 15:16

@Foxboron @zbyszek that's also how Python in nixpkgs works, but I think Rust generally has more deps and is more tightly bound to versions, unfortunately :(

=> More informations about this toot | More toots from delroth@delroth.net

Written by Morten Linderud on 2024-02-07 at 15:20

@delroth @zbyszek

It would be nice to figure out if this is a hunch you have or actually true though :)

=> More informations about this toot | More toots from Foxboron@chaos.social

Written by Zbigniew Jędrzejewski-Szmek on 2024-02-10 at 12:33

@delroth Fedora has a general policy of preferring to have just one version of any project at any given time in a specific Fedora version. Thus, we will generally try to build all Rust packages against the same version of the dependency. This seems hard to do, but it turns out most projects' Cargo.toml version locks are sensible, i.e. they don't overconstrain the dependencies.

=> More informations about this toot | More toots from zbyszek@fosstodon.org